When a Linux server is maliciously scanned by an external IP address, the system administrator usually deploys intrusion protection environments, such as snort. However, snort is complicated to deploy, sometimes we only need to prevent malicious scanning. In this case, you can use the PortSentry tool for simple implementation. Although PortSentry is no longer developed after it is acquired by Cisco, it does not affect the powerful functions of the software.
When I checked the security environment of a CentOS5.5 server, I found that many IP addresses maliciously scan the port of this server. I originally wanted to deploy the snort anti-intrusion environment. Later I found that the snort environment deployment was very complicated, and the above malicious scans could be fully implemented using PortSentry. PortSentry is one of the simplest and most effective tools in intrusion detection tools. PortSentry is an integral part of the Abacus project. The goal of the Abacus project is to establish a host-based network intrusion detection system, which can obtain more detailed information about the Abacus project from the http://www.psonic.com. Although PortSentry is no longer developed after it is acquired by Cisco, it does not affect the powerful functions of the software. PortSentry can detect almost all types of network scans in real time and respond to the scans. If suspicious behaviors are discovered, PortSentry can take the following specific measures to strengthen prevention:
◆ Provide false routing information and redirect all information flows to a non-existent host;
◆ Automatically add the host that performs port scanning on the server to the/etc/hosts of TCP-Wrappers. I personally prefer this method in the deny file, because iptables is not enabled in many online environments. This option is also the default function of PortSentry;
◆ Use the Netfilter mechanism to filter out all illegal data packets (from the host that performs port scanning on the server) using packet filtering programs, such as iptables and ipchain;
◆ The syslog () function provides a log message and can even return a warning message to the scanner.
I. Installation of PortSentry
The following describes how to install and configure the PortSentry tool.
1. Slave:
#Tarzxvfportsentry-1.2.tar.gz
# Cdportsentry-1.2_beta
# Make
# Makeinstall
When this step is performed, an error is reported, and the system cannot generate the protsentry execution file. When we view the Makefile file, we find that make has many options based on the operating system.
So we re-execute this step to delete the Directory and decompress it again.
Then we run makelinux and find that the system still reports an error, as shown below:
Cmdype = linux
Making./portsentry. c: 1585: error: missingterminating "character
./Portsentry. c: 1595: error: expected ?.?. Before ?.?. Token
Make: *** [linux] Error1 solution:
We open the portsentry. c file, around 1590 lines, we will adjust the line with the Copyright1997-2003 to a line, the line of code with the white line mark should be adjusted to a line
After the adjustment, run makelinux & makeinstall. The installation path of PortSentry is/usr/local/psionic/portsentry, which indicates that the software is successfully installed:
Edit/usr/local/psionic/portsentry. confandchange
Yoursettingsifyouhaven 'talready. (route, etc)
WARNING: Thisversionandabovenowuseanew
Directorystructureforstoringtheprogram
Andconfigfiles (/usr/local/psionic/portsentry ).
Pleasemakesureyoudeletetheoldfileswhen
Thetestingofthisinstalliscomplete.
Cc-O-Wall-DLINUX-DSUPPORT_STEALTH-o./portsentry./portsentry. c \
./Portsentry_io.c./portsentry_util.c
./Portsentry. c: Infunction ?. OrtSentryModeTCP ?.
./Portsentry. c: 1187: warning: pointertargetsinpassingargument3of ?. Ccept ?. Differinsignedness
./Portsentry. c: Infunction ?. OrtSentryModeUDP ?.
./Portsentry. c: 1384: warning: pointertargetsinpassingargument6of ?. Ecvfrom ?. Differinsignedness
./Portsentry. c: Infunction ?. Sage ?.
./Portsentry. c: 1584: error: missingterminating "character
./Portsentry. c: 1585: error :?. Ourceforget ?. Undeclared (firstuseinthisfunction)
./Portsentry. c: 1585: error :( Eachundeclaredidentifierisreportedonlyonce
./Portsentry. c: 1585: error: foreachfunctionitappearsin .)
./Portsentry. c: 1585: error: expected ?.?. Before ?. Ot?
./Portsentry. c: 1585: error: stray ?.?. Inprogram
2. Configure PortSentry
1. modify the configuration file portsentry. conf.
To use PortSentry for intrusion detection, you must first customize a list of ports to be monitored and corresponding prevention measures. Then start the background process to detect these ports. Once these ports are detected, the corresponding countermeasures will be started to block them.
(1) set the port list
The following describes the default port configuration in portsentry. conf:
# Un-commenttheseifyouarereallyanal;
# TCP_PORTS = "109,110,111,119,138,139,143,512,513,514,515,540,636,108, []
# UDP_PORTS = "69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,204, []
# Usetheseifyoujustwanttobeaware:
TCP_PORTS = "111,119,143,540,635,108, []
UDP_PORTS = "161,162,513,635,640,641,700,374, 9,69, 44,34555, 31335,32770, 32771,32772, 32773,32774, 31337,54321"
# Usetheseforjusebare-bones
# TCP_PORTS = "15,110,111,143,540,635,180,152, 54320"
# UDP_PORTS = "161,162,513,640,700,327, 54321"
You can selectively remove the preceding annotations to enable the default configuration, or customize a new list based on your actual situation. The format is the same as the original one. The port list depends on the specific situation. If the server is a Web server, the Web port does not need to be monitored. On the contrary, if it is an FTP server, it is also necessary to monitor the Web port.
(2) Related Files in portsentry. conf
Many files are automatically configured in portsentry. conf. Let's take a look at their usage:
# This file record allows valid server scan host addresses
IGNORE_FILE = "/usr/local/psionic/portsentry. ignore"
# This file retains the IP history of all previous intrusions to the host
HISTROY_FILE = "/usr/lcal/psionic/portsentry. history"
# This file contains Host IP records that have been blocked from connection
BLOCKED_FILE = "/usr/local/psionic/portsentry. blocked"
(3) set route redirection
By configuring the portsentry. conf file, you can set a virtual route record to redirect data packets to an unknown host. Make it unable to obtain information. The configuration code is as follows:
# Generic
# KILL_ROUTE = "/sbin/routeadd $ TARGET route. 444.555.666"
# GenericLinux
KILL_ROUTE = "/sbin/routeadd-host $ TARGET $ gw333.444.555.666
There are different routing commands for different platforms. In the configuration file, select the command for your own platform. My server is CentOS5.5x86 _ 64, and the above syntax is suitable for Linux machines. PortSentry is very user-friendly, and there are system configuration files below. We only need to perform the following operations.
(4) we can also use the iptables command in Linux to cut off the connection to the attacked Host:
KILL_ROUTE = "/usr/local/sbin/iptables-IINPUT-s $ TARGET $-jDROP"
You can also directly record the attacker's IP address to the/etc/hosts. deny file and use the TCP_Wrappers protection mechanism to prevent attacks:
KILL_HOSTS_DENY = "ALL: $ TARGET $ # Portsentryblocked"
By default, the system uses TCP_Wrappers to disconnect from the host.
(5) custom warning information
We can also customize a warning message to warn attackers. However, this option is not recommended in the manual because it may expose the IDS system of the host.
PORT_BANNER = "** UNAUTHORIZEDACCESSPROHIBITED *** YOURCONNECTIONATTEMPTHASBEENLOGGED. GOAWAY ."
After modification, change the File Permission. To ensure its security:
Chmod600/usr/local/psionic/portsentry. conf
2. Configure the portsentry. ignore File
The/usr/psionic/portsentry. ignore file sets the Host IP address to be ignored by PortSentry. That is, the following configurations are allowed for valid scan of the host address:
# Puthostsinhereyouneverwantblocked, ThisincludestheIPaddresses
# Ofalllocalinterfacesontheprotectedhost (I. evirtualhost, mult-home)
# Keep127.0.0.1and0.0.0.0tokeeppeoplefromplayinggames.
127.0.0.1/32
0.0.0.0
# Excludealllocalinterfaces
192.168.1.103
192.168.1.102
127.0.0.1
Remember to bring the local address, just in case.
After modification, you also need to change the default permissions of the file:
Chmod600/usr/local/psionic/portsentry. ignore
Iii. Start Detection Mode
Finally, we will introduce the startup Detection Mode of PortSentry. Corresponding to TCP and UDF protocols, PortSentry has three startup modes, namely basic, secret, and advanced security scan detection modes. A total of six modes are available.
◆ Portsentry-tcp: the basic port binding mode of TCP;
◆ Portsentry-udp: Basic port binding mode of UDP;
◆ Portsentry-stcp, TCP's Secret scan detection mode;
◆ Portsentry-sudp, UDP's private scan detection mode;
◆ Portsentry-atcp, TCP's Advanced Security Scan detection mode;
◆ Portsentry-audp: Advanced Security Scan Detection Mode of UDP.
Generally, we recommend that you use the scan mode or advanced scan mode.
In advanced security scan detection mode (AdvancedStealthScanDetectionMode), PortSentry automatically checks the running ports on the server, removes these ports from the configuration file, and only monitors other ports. This will speed up the response to port scanning and only occupy a small amount of CPU time. This mode is very intelligent and I prefer to use
The command to start PortSentry is as follows:
#/Usr/psionic/portsentry-atcp
You can add the startup command to "/etc/rc. d/rc. in the local script file, if you want it to start, stop, and view the process status at any time like other background processes, PortSentry will automatically run when the computer is restarted.
Iv. Test
After we start PortSentry on 192.168.1.102, We will temporarily clear the files in portsentry. ignore, and then start the scan command nmap-sS192.168.1.102 on another machine at 192.168.1.104. Wait a moment and you will find the word "ALL: 192.168.1.104" appears in/etc/hosts. deny, proving that the software configuration is effective.
To prove its effectiveness, I deployed portsentry1.2 on an online LVS machine and checked the log to find out
[Root @ localhostportsentry_beta] # tail/var/log/messages
Jun613: 11: 07 localhostportsentry [2555]: attackalert: TCPSYN/Normalscanfromhost: adsl-65-9-251-89.mia.bellsouth.net/65.9.251.89toTCPport:80
Jun613: 11: 07 localhostportsentry [2555]: attackalert: Host65.9.251.89hasbeenblockedviawrapperswithstring: "ALL: 65.9.251.89"
Jun613: 11: 07 localhostportsentry [2555]: attackalert: TCPSYN/Normalscanfromhost: adsl-65-9-251-89.mia.bellsouth.net/65.9.251.89toTCPport:80
Jun613: 11: 07 localhostportsentry [2555]: attackalert: Host: adsl-65-9-251-89.mia.bellsouth.net/65.9.251.89isalreadyblockedIgnoring
Jun613: 11: 08 localhostportsentry [2555]: attackalert: TCPSYN/Normalscanfromhost: adsl-65-9-251-89.mia.bellsouth.net/65.9.251.89toTCPport:80
Jun613: 11: 08 localhostportsentry [2555]: attackalert: Host: adsl-65-9-251-89.mia.bellsouth.net/65.9.251.89isalreadyblockedIgnoring
Jun613: 19: 57 localhostportsentry [2555]: attackalert: TCPSYN/Normalscanfromhost: ns000034.ovh.net/91.121.14.153totcpport:80
Jun613: 19: 57 localhostportsentry [2555]: attackalert: Host91.121.14.153hasbeenblockedviawrapperswithstring: "ALL: 91.121.14.153"
Jun613: 35: 44 localhostportsentry [2555]: attackalert: TCPSYN/Normalscanfromhost: 61.156.31.43/61.156.31.43toTCPport: 80
Jun613: 35: 44 localhostportsentry [2555]: attackalert: Host61.156.31.43hasbeenblockedviawrapperswithstring: "ALL: 61.156.31.43"
Check/etc/hosts. deny and find the following malicious IP:
ALL: 113.57.224.3
ALL: 124.238.249.246
ALL: 65.9.251.89
ALL: 91.121.14.153
ALL: 61.156.31.43